cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1257
Views
10
Helpful
6
Replies

TLS connection issue

ccna_security
Level 3
Level 3

Dear all

after configuring TLS in ESA (Destination control TLS preferred, Mail Policy-Default Policy Parameter TLS preferred). In order test it we send email and receive form different domains. It works as expected. But users complained that they were not able to send email to some domains. Actually they send email but other side not accept it. After checking TLS logs and message tracking i observed that email is sent from our ESA. but i don't understand why it didn't reach to destination. it is so urgent please help me to solve this problem.

6 Replies 6

Track down a domain that won't accept the email.

Send mail to it.

Look at the tracking log for that mail...



My first guess is that your system and their's aren't agreeing on TLS version and/or ciphers to use.



Go to System Administration/SSL Configuration and tell us what your SSL config is for Outbound SMTP.






Hi. dont you think if tls mismatch occurs then monitor tracking would show failed tls event? It shows it is successful.

 

ppreenja
Cisco Employee
Cisco Employee
Hello Ccns90,

I believe checking on the message tracking will be helpful. Are you able to see something like "received remote SMTP response '2.6.0" on the same?
Also, check for the DCID connection being formed from the ESA to the next hop and troubleshoot further.

Cheers,
Pratham

Hi Pratham

all i see is 

Message 1834733 to bob@test.com received remote SMTP response 'ok: Message 1054384 accepted'

I have this problem very often..nearly always a certificate problem.

 

check the destination domain with this site

https://de.ssl-tools.net/mailservers

 

maybe you need to install  the certificate from the destination server.

 

You can get the certificate also from the site  (screenshot  1.jpg )

https://de.ssl-tools.net/mailservers

 

Install the certificate on (cisco ESA)

/network/certificates-->Edit Settings --> Custom List (export List)--->insert the certificate (PEM format) and reinstall the list (screenshot 2.jpg)

Hi

We have mail.company.com certificate.But we have added Cisco ESA's default certificate. do you thing it would cause that issue?

 

I will test one more thing and i will turn you back with the result. thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: